[cryptography] Diginotar Lessons Learned (long)

James A. Donald jamesd at echeque.com
Sun Sep 11 06:23:50 EDT 2011


 >> On 2011-09-11 9:10 AM, Andy Steingruebl wrote:
 >>> 1. Phishing isn't the only problem right?

On 2011-09-11 7:44 PM, Ian G wrote:
 > Malware + breaches might be the other  2 biggies.

We now know in principle how to make malware resistant operating 
systems, http://jim.com/security/safe_operating_system.html, and the 
major operating system vendors are moving in that direction, though 
backward compatibility means they move slowly.

Breaches of servers usually involve SQL injection.  There are usually 
other steps in the process, but one of the key steps is usually SQL 
injection.

It is a really bad idea for the web page to interface with the database 
by constructing command strings.  It needs to interface by calling 
compiled procedures that have an argument list.  This would make it 
difficult to write code vulnerable to SQL injection, instead of 
difficult to avoid writing code vulnerable to SQL injection



More information about the cryptography mailing list